x509: support non-self-signed certs.

For generating non-self-signed certs we need to be able to specify a
public key (for the signee) which is different from the private key (of
the signer).

R=rsc
CC=golang-dev
https://golang.org/cl/1741045

src/pkg/crypto/x509/x509.go

@@ -761,19 +761,20 @@ var (
 // MaxPathLen, SubjectKeyId, DNSNames.
 //
 // The certificate is signed by parent. If parent is equal to template then the
-// certificate is self-signed.
+// certificate is self-signed. pub is the public key of the signee. priv is the
+// private key of the signer.
 //
 // The returned slice is the certificate in DER encoding.
-func CreateCertificate(rand io.Reader, template, parent *Certificate, priv *rsa.PrivateKey) (cert []byte, err os.Error) {
+func CreateCertificate(rand io.Reader, template, parent *Certificate, pub *rsa.PublicKey, priv *rsa.PrivateKey) (cert []byte, err os.Error) {
 	asn1PublicKey, err := asn1.MarshalToMemory(rsaPublicKey{
-		N: asn1.RawValue{Tag: 2, Bytes: priv.PublicKey.N.Bytes()},
-		E: priv.PublicKey.E,
+		N: asn1.RawValue{Tag: 2, Bytes: pub.N.Bytes()},
+		E: pub.E,
 	})
 	if err != nil {
 		return
 	}
 
-	if len(template.SubjectKeyId) > 0 && len(parent.SubjectKeyId) > 0 {
+	if len(parent.SubjectKeyId) > 0 {
 		template.AuthorityKeyId = parent.SubjectKeyId
 	}
 

src/pkg/crypto/x509/x509_test.go

@@ -174,7 +174,7 @@ func TestCreateSelfSignedCertificate(t *testing.T) {
 		DNSNames:              []string{"test.example.com"},
 	}
 
-	derBytes, err := CreateCertificate(urandom, &template, &template, priv)
+	derBytes, err := CreateCertificate(urandom, &template, &template, &priv.PublicKey, priv)
 	if err != nil {
 		t.Errorf("Failed to create certificate: %s", err)
 		return